Field of the Invention
The technical field of the invention is that of processes and systems for detecting unwanted intrusions into an information network, in particular a computer network. In particular, the invention relates to methods for detecting targeted attacks of the “advanced persistent threat” type, also known by the acronym APT.
Description of the Related Art
Throughout the following text, the terms “targeted attack” and “unwanted intrusion” are used to define the same practice, which involves accessing an information network without authorisation from the manager thereof.
Throughout the text, the term “information network” refers to an information exchange network using any type of means of communication, such as an Ethernet network, a radio network etc. An information network of this type is for example a computer network, a radio network, a professional mobile radio network (also known by the acronym PMR), and in general a network interconnecting a set of appliances to exchange information. An information network refers both to a set of machines interconnected to exchange information and to an individual machine. In other words, a process for detecting unwanted intrusions into an information network according to the invention, in particular a computer network, aims both to detect intrusions on a network formed of a plurality of interconnected machines and to detect intrusions on a single machine which receives information, either via an Internet, Ethernet or radio network or the like or by connecting an information storage device such as a USB stick, a storage disc, a radio antenna etc.
Targeted attacks are a major threat to all organisations, whether they are public services, private businesses or government organisations. A targeted attack or unwanted intrusion of this type generally aims either to collect sensitive information of any type (trade secrets, sensitive political information, bank details etc.) or to take total control of the information network, in particular the computer network, of an organisation. It is often a silent attack which is spread out over time, and of which it is sometimes difficult to measure all of the consequences. These attacks originate from coordinated, organised, well-funded groups of individuals, which target high-value assets. The main difficulty in detecting these targeted attacks is that these groups concentrate on slow, discreet attacks, pass from one host to another without generating regular or predictable network traffic, and put procedures in place to ensure that their actions are not noticed by the legitimate operators of the systems. To do this, they use a whole range of tools, from the use of malicious software, through phishing specific information from particular target individuals, to social engineering techniques.
In the case of a computer network, the conventional defence measures against this type of attack involve using firewalls, intrusion prevention systems, anti-virus programs and network surveillance tools for the computer network of the entity in question. These techniques are often imperfect, to the point where the attacks carried out are not detected within 400 days of their presence on the attacked network.
A further drawback of these traditional measures is that even although they make it possible to identify individual events, they do not associate the events with one another, thus preventing global analysis of the network attacks.
A further drawback of the current measures is that they do not make it possible to process rapidly the amounts of data carried by the information networks, in particular the computer networks.
There is therefore a real need to provide a method for detecting unwanted intrusions into a network which makes it possible to process a large amount of data rapidly so as to give a global view of the network situation and rapidly detect the presence of unwanted intrusions, so as to eliminate them before they place the targeted organisation at risk.